June 2011 Patch Tuesday

There is plenty of work this month of June for IT administrators – Microsoft’s June Patch Tuesday addresses 34 vulnerabilities in 16 distinct bulletins. Nine of the bulletins carry a maximum severity of "critical", while the remaining seven are rated as "Important" only. Plus there are the critical fixes from Adobe Reader and Oracle for Java.

No doubt, IT Administrators will have to pick and choose where to act first.

We rank as the highest priority Microsoft bulletins MS11-050, which addresses 11 vulnerabilities in Microsoft Internet Explorer version 6,7, 8 and 9, and MS11-052, which patches VML, a markup language that is used mainly in Internet Explorer. Browser and plug-in vulnerabilities together have been the point of entry for many recent security incidents and are the main infection vector for mass malware such as Zeus and SpyEye (for some interesting statistics see the StopBadWare report at: https://community.qualys.com/docs/DOC-2736). The combo MS11-050/052, together with APSB11-016 from Adobe and Java CPU June 2011 is the first highest priority set of vulnerabilities to address this week. That way IT admins will keep ahead of the "ExploitKit" writers and and make their workstation infrastructures more robust by practicing "Good Software Hygiene" (see our recent blog post on our efforts in providing the tools for improving robustness.

Second on our list is MS11-045, which fixes eight vulnerabilities in all versions of Excel including for Mac OS X. Microsoft ranks it only as "Important" because the end user is required to open an attacker-provided file, but we believe that attackers have shown often enough that they have the skills to make opening the file enticing enough for end users, especially with a file format like Excel that is used overwhelmingly for serious, business related communication.

Other high priority bulletins are MS11-042 and MS11-043, which address critical flaws in the DFS and SMB clients on Windows. Strict outbound firewalling will help enterprises in both cases to keep the exposure low, but since the exploit index is a low "1" for both vulnerabilities, IT admins should schedule them for inclusion into the patch process as soon as possible.

The only bulletin with a known exploit in the wild is MS11-046, a local privilege escalation flaw in the "afd.sys" driver. IT admins can check with their end-point security providers for coverage, but should include this bulletin high on their to-do lists in any case, as it is only a matter of time until we see more attackers use malware taking advantage of this exploit to gain control of your workstations.